Browse Source

Merge pull request #46 from myii/test/manage-map.jinja-verification

test(map): verify `map.jinja` dump using `_mapdata` state
tags/v1.1.1
Imran Iqbal 4 years ago
parent
commit
0def96f632
No account linked to committer's email address
24 changed files with 2222 additions and 97 deletions
  1. +3
    -1
      CODEOWNERS
  2. +13
    -0
      firewalld/_mapdata/_mapdata.jinja
  3. +24
    -0
      firewalld/_mapdata/init.sls
  4. +0
    -16
      firewalld/yaml_dump/init.sls
  5. +0
    -4
      firewalld/yaml_dump/yaml_dump.jinja
  6. +1
    -1
      kitchen.yml
  7. +47
    -0
      test/integration/default/controls/_mapdata_spec.rb
  8. +68
    -75
      test/integration/default/files/_mapdata/amazonlinux-1.yaml
  9. +161
    -0
      test/integration/default/files/_mapdata/amazonlinux-2.yaml
  10. +161
    -0
      test/integration/default/files/_mapdata/arch-base-latest.yaml
  11. +161
    -0
      test/integration/default/files/_mapdata/centos-7.yaml
  12. +161
    -0
      test/integration/default/files/_mapdata/centos-8.yaml
  13. +161
    -0
      test/integration/default/files/_mapdata/debian-10.yaml
  14. +161
    -0
      test/integration/default/files/_mapdata/debian-9.yaml
  15. +161
    -0
      test/integration/default/files/_mapdata/fedora-31.yaml
  16. +161
    -0
      test/integration/default/files/_mapdata/fedora-32.yaml
  17. +161
    -0
      test/integration/default/files/_mapdata/opensuse-15.yaml
  18. +161
    -0
      test/integration/default/files/_mapdata/ubuntu-16.yaml
  19. +161
    -0
      test/integration/default/files/_mapdata/ubuntu-18.yaml
  20. +161
    -0
      test/integration/default/files/_mapdata/ubuntu-20.yaml
  21. +3
    -0
      test/integration/default/inspec.yml
  22. +21
    -0
      test/integration/share/README.md
  23. +21
    -0
      test/integration/share/inspec.yml
  24. +89
    -0
      test/integration/share/libraries/system.rb

+ 3
- 1
CODEOWNERS View File

@@ -10,7 +10,6 @@

# SECTION: Owner(s) for specific directories
# FILE PATTERN OWNER(S)
/test/ @myii

# SECTION: Owner(s) for files/directories related to `semantic-release`
# FILE PATTERN OWNER(S)
@@ -20,8 +19,11 @@
/docs/AUTHORS.rst @saltstack-formulas/ssf
/docs/CHANGELOG.rst @saltstack-formulas/ssf
/docs/TOFS_pattern.rst @saltstack-formulas/ssf
/*/_mapdata/ @saltstack-formulas/ssf
/*/libsaltcli.jinja @saltstack-formulas/ssf
/*/libtofs.jinja @saltstack-formulas/ssf
/test/integration/**/_mapdata_spec.rb @saltstack-formulas/ssf
/test/integration/**/libraries/system.rb @saltstack-formulas/ssf
/test/integration/**/inspec.yml @saltstack-formulas/ssf
/test/integration/**/README.md @saltstack-formulas/ssf
/.gitignore @saltstack-formulas/ssf

+ 13
- 0
firewalld/_mapdata/_mapdata.jinja View File

@@ -0,0 +1,13 @@
# yamllint disable rule:indentation rule:line-length
# {{ grains.get("osfinger", grains.os) }}
---
{#- use salt.slsutil.serialize to avoid encoding errors on some platforms #}
{{ salt["slsutil.serialize"](
"yaml",
map,
default_flow_style=False,
allow_unicode=True,
)
| regex_replace("^\s+'$", "'", multiline=True)
| trim
}}

+ 24
- 0
firewalld/_mapdata/init.sls View File

@@ -0,0 +1,24 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
---
{#- Get the `tplroot` from `tpldir` #}
{%- set tplroot = tpldir.split("/")[0] %}
{%- from tplroot ~ "/map.jinja" import firewalld with context %}

{%- set _mapdata = {
"values": {
"firewalld": firewalld,
}
} %}
{%- do salt["log.debug"]("### MAP.JINJA DUMP ###\n" ~ _mapdata | yaml(False)) %}

{%- set output_dir = "/temp" if grains.os_family == "Windows" else "/tmp" %}
{%- set output_file = output_dir ~ "/salt_mapdata_dump.yaml" %}

{{ tplroot }}-mapdata-dump:
file.managed:
- name: {{ output_file }}
- source: salt://{{ tplroot }}/_mapdata/_mapdata.jinja
- template: jinja
- context:
map: {{ _mapdata | yaml }}

+ 0
- 16
firewalld/yaml_dump/init.sls View File

@@ -1,16 +0,0 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
---
{#- Get the `tplroot` from `tpldir` #}
{%- set tplroot = tpldir.split('/')[0] %}
{%- from tplroot ~ "/map.jinja" import firewalld as map with context %}

{%- set output_file = '/tmp/salt_yaml_dump.yaml' %}

yaml-dump-{{ tplroot }}:
file.managed:
- name: {{ output_file }}
- source: salt://{{ tplroot }}/yaml_dump/yaml_dump.jinja
- template: jinja
- context:
map: {{ map | yaml }}

+ 0
- 4
firewalld/yaml_dump/yaml_dump.jinja View File

@@ -1,4 +0,0 @@
# yamllint disable rule:indentation rule:line-length
# {{ grains.get('osfinger', grains.os) }}-{{ grains.saltversion }}-py{{ grains.pythonversion[0] }}
---
{{ map|yaml(False)|trim }}

+ 1
- 1
kitchen.yml View File

@@ -156,7 +156,7 @@ suites:
state_top:
base:
'*':
- firewalld.yaml_dump
- firewalld._mapdata
- firewalld
pillars:
top.sls:

+ 47
- 0
test/integration/default/controls/_mapdata_spec.rb View File

@@ -0,0 +1,47 @@
# frozen_string_literal: true

require 'yaml'

control '`map.jinja` YAML dump' do
title 'should match the comparison file'

### Method
# The steps below for each file appear convoluted but they are both required
# and similar in nature:
# 1. The earliest method was to simply compare the files textually but this often
# led to false positives due to inconsistencies (e.g. spacing, ordering)
# 2. The next method was to load the files back into YAML structures and then
# compare but InSpec provided block diffs this way, unusable by end users
# 3. The final step was to dump the YAML structures back into a string to use
# for the comparison; this both worked and provided human-friendly diffs

### Comparison file for the specific platform
### Static, adjusted as part of code contributions, as map data is changed
# Strip the `platform[:finger]` version number down to the "OS major release"
platform_finger = system.platform[:finger].split('.').first.to_s
# Use that to set the path to the file (relative to the InSpec suite directory)
mapdata_file_path = "_mapdata/#{platform_finger}.yaml"
# Load the mapdata from profile, into a YAML structure
# https://docs.chef.io/inspec/profiles/#profile-files
mapdata_file_yaml = YAML.safe_load(inspec.profile.file(mapdata_file_path))
# Dump the YAML back into a string for comparison
mapdata_file_dump = YAML.dump(mapdata_file_yaml)

### Output file produced by running the `_mapdata` state
### Dynamic, generated during Kitchen's `converge` phase
# Derive the location of the dumped mapdata (differs for Windows)
output_dir = platform[:family] == 'windows' ? '/temp' : '/tmp'
# Use that to set the path to the file (absolute path, i.e. within the container)
output_file_path = "#{output_dir}/salt_mapdata_dump.yaml"
# Load the output into a YAML structure using InSpec's `yaml` resource
# https://github.com/inspec/inspec/blob/49b7d10/lib/inspec/resources/yaml.rb#L29
output_file_yaml = yaml(output_file_path).params
# Dump the YAML back into a string for comparison
output_file_dump = YAML.dump(output_file_yaml)

describe 'File content' do
it 'should match profile map data exactly' do
expect(output_file_dump).to eq(mapdata_file_dump)
end
end
end

test/integration/default/controls/yaml_dump_spec.rb → test/integration/default/files/_mapdata/amazonlinux-1.yaml View File

@@ -1,10 +1,8 @@
# frozen_string_literal: true

control 'firewalld `map.jinja` YAML dump' do
title 'should contain the lines'

yaml_dump = "---\n"
yaml_dump += <<~YAML_DUMP.chomp
# yamllint disable rule:indentation rule:line-length
# Amazon Linux AMI-2018
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
@@ -23,115 +21,98 @@ control 'firewalld `map.jinja` YAML dump' do
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
ipv: ipv4
table: filter
chain: FORWARD
priority: '0'
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
passthrough:
MYPASSTHROUGH:
chain: FORWARD
ipv: ipv4
args: -t raw -A MYCHAIN -j DROP
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
short: fail2ban-ssh
description: fail2ban-ssh ipset
type: hash:ip
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
hashsize:
- 1024
entries:
- 10.0.0.1
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
short: fail2ban-ssh-ipv6
description: fail2ban-ssh-ipv6 ipset
type: hash:ip
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
hashsize:
- 1024
entries:
- 2a01::1
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
short: sshcustom
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
into and executing commands on remote machines. It provides secure encrypted
communications. If you plan on accessing your machine remotely via SSH over
a firewalled interface, enable this option. You need the openssh-server package
installed for this option to be useful.
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
modules:
- some_module_to_load
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
zabbixcustom:
short: Zabbixcustom
description: zabbix custom rule
ports:
tcp:
- '10051'
salt-minion:
short: salt-minion
description: salt-minion
ports:
tcp:
- '8000'
short: Zabbixcustom
zones:
public:
short: Public
description: For use in public areas. You do not trust the other computers on
networks to not harm your computer. Only selected incoming connections are accepted.
services:
- http
- https
- ssh
- salt-minion
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
protocols:
- igmp
rich_rules:
- family: ipv4
source:
address: 8.8.8.8/24
accept: true
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
ports:
- comment: zabbix-agent
port: 10050
@@ -142,6 +123,24 @@ control 'firewalld `map.jinja` YAML dump' do
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
@@ -150,7 +149,6 @@ control 'firewalld `map.jinja` YAML dump' do
port: 4444
protocol: tcp
rich_public:
short: rich_public
description: Example
rich_rules:
ssh-csg:
@@ -160,9 +158,4 @@ control 'firewalld `map.jinja` YAML dump' do
- other-ipset
services:
- ssh
YAML_DUMP

describe file('/tmp/salt_yaml_dump.yaml') do
its('content') { should include yaml_dump }
end
end
short: rich_public

+ 161
- 0
test/integration/default/files/_mapdata/amazonlinux-2.yaml View File

@@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Amazon Linux-2
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

+ 161
- 0
test/integration/default/files/_mapdata/arch-base-latest.yaml View File

@@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Arch
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

+ 161
- 0
test/integration/default/files/_mapdata/centos-7.yaml View File

@@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# CentOS Linux-7
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

+ 161
- 0
test/integration/default/files/_mapdata/centos-8.yaml View File

@@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# CentOS Linux-8
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

+ 161
- 0
test/integration/default/files/_mapdata/debian-10.yaml View File

@@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Debian-10
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

+ 161
- 0
test/integration/default/files/_mapdata/debian-9.yaml View File

@@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Debian-9
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

+ 161
- 0
test/integration/default/files/_mapdata/fedora-31.yaml View File

@@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Fedora-31
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

+ 161
- 0
test/integration/default/files/_mapdata/fedora-32.yaml View File

@@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Fedora-32
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

+ 161
- 0
test/integration/default/files/_mapdata/opensuse-15.yaml View File

@@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Leap-15
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

+ 161
- 0
test/integration/default/files/_mapdata/ubuntu-16.yaml View File

@@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Ubuntu-16.04
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

+ 161
- 0
test/integration/default/files/_mapdata/ubuntu-18.yaml View File

@@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Ubuntu-18.04
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

+ 161
- 0
test/integration/default/files/_mapdata/ubuntu-20.yaml View File

@@ -0,0 +1,161 @@
# yamllint disable rule:indentation rule:line-length
# Ubuntu-20.04
---
values:
firewalld:
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
passthrough:
MYPASSTHROUGH:
args: -t raw -A MYCHAIN -j DROP
ipv: ipv4
rule:
INTERNETACCESS:
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
chain: FORWARD
ipv: ipv4
priority: '0'
table: filter
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
description: fail2ban-ssh ipset
entries:
- 10.0.0.1
options:
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh
type: hash:ip
fail2ban-ssh-ipv6:
description: fail2ban-ssh-ipv6 ipset
entries:
- 2a01::1
options:
family:
- inet6
hashsize:
- 1024
maxelem:
- 65536
timeout:
- 300
short: fail2ban-ssh-ipv6
type: hash:ip
package: firewalld
service: firewalld
services:
salt-minion:
description: salt-minion
ports:
tcp:
- '8000'
short: salt-minion
sshcustom:
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for
logging into and executing commands on remote machines. It provides secure
encrypted communications. If you plan on accessing your machine remotely
via SSH over a firewalled interface, enable this option. You need the openssh-server
package installed for this option to be useful.
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
modules:
- some_module_to_load
ports:
tcp:
- 3232
- 5252
protocols:
- igmp
short: sshcustom
source_ports:
tcp:
- 21
zabbixcustom:
description: zabbix custom rule
ports:
tcp:
- '10051'
short: Zabbixcustom
zones:
public:
description: For use in public areas. You do not trust the other computers
on networks to not harm your computer. Only selected incoming connections
are accepted.
other_services:
- zabbixcustom
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
protocols:
- igmp
rich_rules:
- accept: true
family: ipv4
source:
address: 8.8.8.8/24
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
services:
- http
- https
- ssh
- salt-minion
short: Public
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
short: rich_public

+ 3
- 0
test/integration/default/inspec.yml View File

@@ -6,6 +6,9 @@ title: firewalld formula
maintainer: SaltStack Formulas
license: Apache-2.0
summary: Verify that the firewalld formula is setup and configured correctly
depends:
- name: share
path: test/integration/share
supports:
- platform-name: debian
- platform-name: ubuntu

+ 21
- 0
test/integration/share/README.md View File

@@ -0,0 +1,21 @@
# InSpec Profile: `share`

This shows the implementation of the `share` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md).

Its goal is to share the libraries between all profiles.

## Libraries

### `system`

The `system` library provides easy access to system dependent information:

- `system.platform`: based on `inspec.platform`, modify to values that are more consistent from a SaltStack perspective
- `system.platform[:family]` provide a family name for Arch and Gentoo
- `system.platform[:name]` append `linux` to both `amazon` and `oracle`; ensure Windows platforms are resolved as simply `windows`
- `system.platform[:release]` tweak Arch, Amazon Linux, Gentoo and Windows:
- `Arch` is always `base-latest`
- `Amazon Linux` release `2018` is resolved as `1`
- `Gentoo` release is trimmed to its major version number and then the init system is appended (i.e. `sysv` or `sysd`)
- `Windows` uses the widely-used release number (e.g. `8.1` or `2019-server`) in place of the actual system release version
- `system.platform[:finger]` is the concatenation of the name and the major release number (except for Ubuntu, which gives `ubuntu-20.04` for example)

+ 21
- 0
test/integration/share/inspec.yml View File

@@ -0,0 +1,21 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
name: share
title: InSpec shared resources
maintainer: SaltStack Formulas
license: Apache-2.0
summary: shared resources
supports:
- platform-name: debian
- platform-name: ubuntu
- platform-name: centos
- platform-name: fedora
- platform-name: opensuse
- platform-name: suse
- platform-name: freebsd
- platform-name: amazon
- platform-name: oracle
- platform-name: arch
- platform-name: gentoo
- platform: windows

+ 89
- 0
test/integration/share/libraries/system.rb View File

@@ -0,0 +1,89 @@
# frozen_string_literal: true

# system.rb -- InSpec resources for system values
# Author: Daniel Dehennin <daniel.dehennin@ac-dijon.fr>
# Copyright (C) 2020 Daniel Dehennin <daniel.dehennin@ac-dijon.fr>

class SystemResource < Inspec.resource(1)
name 'system'

attr_reader :platform

def initialize
super
@platform = build_platform
end

private

def build_platform
{
family: build_platform_family,
name: build_platform_name,
release: build_platform_release,
finger: build_platform_finger
}
end

def build_platform_family
case inspec.platform[:name]
when 'arch', 'gentoo'
inspec.platform[:name]
else
inspec.platform[:family]
end
end

def build_platform_name
case inspec.platform[:name]
when 'amazon', 'oracle'
"#{inspec.platform[:name]}linux"
when 'windows_8.1_pro', 'windows_server_2019_datacenter'
'windows'
else
inspec.platform[:name]
end
end

# rubocop:disable Metrics/MethodLength
def build_platform_release
case inspec.platform[:name]
when 'amazon'
# `2018` relase is named `1` in kitchen.yaml
inspec.platform[:release].gsub(/2018.*/, '1')
when 'arch'
'base-latest'
when 'gentoo'
"#{inspec.platform[:release].split('.')[0]}-#{derive_gentoo_init_system}"
when 'windows_8.1_pro'
'8.1'
when 'windows_server_2019_datacenter'
'2019-server'
else
inspec.platform[:release]
end
end
# rubocop:enable Metrics/MethodLength

def derive_gentoo_init_system
case inspec.command('systemctl').exist?
when true
'sysd'
else
'sysv'
end
end

def build_platform_finger
"#{build_platform_name}-#{build_finger_release}"
end

def build_finger_release
case inspec.platform[:name]
when 'ubuntu'
build_platform_release.split('.').slice(0, 2).join('.')
else
build_platform_release.split('.')[0]
end
end
end

Loading…
Cancel
Save